Businesses in Europe, the Middle East, and Africa (EMEA) are spending four times more of their budget on insurance for property, plant and equipment (PP&E) than they are covering cyber exposure.
According to a report released today by Aon in collaboration with the Ponemon Institute, which reveals 60% of total physical asset values are protected, compared with 15% of potential information losses. This is despite 38% of EMEA firms suffering a cyber loss in the last 24 months, with an average of $3.3m (£2.5m) lost each time, and the potential business disruption from information asset losses 50% greater than PP&E damage. With cybercrime annually costing an estimated $445 billion globally, cyber threats continue to be an important yet neglected issue, and with this complacency it is inevitable we will soon see the first large corporate failure as a result of cyber risk.
It was also found that just 30% of businesses are “fully aware” of the legal and economic consequences of incoming EU General Data Protection Regulation (GDPW). This comes into force on 25 May 2018, with failure to comply potentially resulting in fines of up to €20m or 4% of an organisation’s global turnover – whichever is higher.
The findings follow NTT Security forecasts that European financial institutions will face fines totaling €4.7bn in the first three years under GDPR, with 384 data breaches expected by 2021. In addition, these predictions are thought to be conservative, excluding compensation claims, costs associated with lost customers, damaged reputations, and senior executive resignations.
It is recommended that senior management familiarise themselves with cyber risks, and also the current information security systems implemented by the business, as well as develop incident response plans. A 2013 PwC survey of senior management showed only 22% of respondents conduct incident response planning with their third-party supply chain. Businesses should be asking themselves: what are the possible points of intrusion from unwanted sources? Are my existing security measures enough to address all the relevant risks facing my businesses? Are my employees well trained in technology so that cyber threats are minimised?
The first party coverage for business interruption stands as one of cyber liability insurance’s key features. For any business that has suffered from a cyber-incident, be it a hacking, virus or data breach, the initial response is to consolidate the current losses caused by business being interrupted. This is part of what cyber liability insurance aims to cover.
“History tells us that companies that have dealt with data breaches poorly have seen loss of customers, reduced earnings and board level resignations,” AllClear ID CEO, Bo Holland said. “GDPR raises the stakes even higher.”